Add a trigger to call ldap_backend define

Ldap_backend is a define so we need a resource to talk it. If
ldap_backend_enable set by tripleo-heat-templates, we call the
ldap_backend as a resource.

Given an environment such as the following:

parameter_defaults:
  KeystoneLdapDomainEnable: true
  KeystoneLDAPBackendConfigs:
    tripleoldap:
      url: ldap://192.0.2.250
      user: cn=openstack,ou=Users,dc=redhat,dc=example,dc=com
      password: Secrete
      suffix: dc=redhat,dc=example,dc=com
      user_tree_dn: ou=Users,dc=redhat,dc=example,dc=com
      user_filter: "(memberOf=cn=OSuser,ou=Groups,dc=redhat,dc=example,dc=com)"
      user_objectclass: person
      user_id_attribute: cn
      user_allow_create: false
      user_allow_update: false
      user_allow_delete: false
  ControllerExtraConfig:
    nova::keystone::authtoken::auth_version: v3
    cinder::keystone::authtoken::auth_version: v3

It would then create a domain called tripleoldap with an LDAP
configuration as defined by the hash. The parameters from the
hash are defined by the keystone::ldap_backend resource in
puppet-keystone.

More backends can be added as more entries to that hash.

Partial-Bug: 1677603
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Guillaume Coré <gucore@redhat.com>
Signed-off-by: Cyril Lopez <cylopez@redhat.com>
Change-Id: I1593c6a33ed1a0ea51feda9dfb6e1690eaeac5db
(cherry picked from commit b8388e378a9151bccbac0db0478b1ef5d1e2e3fb)

2 files changed, 21 insertions, 0 deletions

diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 8d8c235..91ebd4d 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -67,6 +67,15 @@
 #   heat admin user name
 #   Defaults to undef
 #
+# [*ldap_backends_config*]
+#   Configuration for keystone::ldap_backend. This takes a hash that will
+#   create each backend specified.
+#   Defaults to undef
+#
+# [*ldap_backend_enable*]
+#   Enables creating per-domain LDAP backends for keystone.
+#   Default to false
+#
 # [*manage_db_purge*]
 #   (Optional) Whether keystone token flushing should be enabled
 #   Defaults to hiera('keystone_enable_db_purge', true)
@@ -100,6 +109,8 @@ class tripleo::profile::base::keystone (
   $heat_admin_email              = undef,
   $heat_admin_password           = undef,
   $heat_admin_user               = undef,
+  $ldap_backends_config          = undef,
+  $ldap_backend_enable           = false,
   $manage_db_purge               = hiera('keystone_enable_db_purge', true),
   $public_endpoint_network       = hiera('keystone_public_api_network', undef),
   $rabbit_hosts                  = hiera('rabbitmq_node_names', undef),
@@ -157,6 +168,11 @@ class tripleo::profile::base::keystone (
       ssl_key_admin  => $tls_keyfile_admin,
     }
     include ::keystone::cors
+
+    if $ldap_backend_enable {
+      validate_hash($ldap_backends_config)
+      create_resources('::keystone::ldap_backend', $ldap_backends_config)
+    }
   }
 
   if $step >= 4 and $manage_db_purge {
diff --git a/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
new file mode 100644
index 0000000..0fb9271
--- /dev/null
+++ b/releasenotes/notes/add-ldap-backend-48e875e971343e2a.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add keystone::ldap_backend call as resource when is trigged to setup a LDAP
+    backend as keystone domain. This allows per-domain LDAP backends for
+    keystone.